fix(agent): scope subdirectory hint discovery to workspace directory

SubdirectoryHintTracker._is_valid_subdir() did not check whether the candidate directory is inside the configured working_dir. This allowed tool calls that touch files in unrelated directories to inject AGENTS.md, CLAUDE.md, or .cursorrules content from completely different projects into the agent context, causing instruction contamination. Add a workspace boundary check using Path.relative_to() so only directories inside working_dir are scanned for hint files. Fixes #14471
2026-04-25 00:51:20 +00:00 · 2026-04-23 17:19:36 +07:00 · 2026-04-23 17:19:36 +07:00 · fc0cfd1e2f
commit fc0cfd1e2f
parent 2367c6ffd5
1 changed files with 15 additions and 1 deletions
--- a/agent/subdirectory_hints.py
+++ b/agent/subdirectory_hints.py
@ -158,7 +158,12 @@ class SubdirectoryHintTracker:
            self._add_path_candidate(token, candidates)

    def _is_valid_subdir(self, path: Path) -> bool:
-        """Check if path is a valid directory to scan for hints."""
+        """Check if path is a valid directory to scan for hints.
+
+        Only allows directories inside the configured working_dir to prevent
+        unrelated instruction files from being injected into the agent context
+        (e.g., an AGENTS.md from a completely different project).
+        """
        try:
            if not path.is_dir():
                return False
@ -166,6 +171,15 @@ class SubdirectoryHintTracker:
            return False
        if path in self._loaded_dirs:
            return False
+        # Scope to workspace — only scan directories inside working_dir
+        try:
+            path.relative_to(self.working_dir)
+        except ValueError:
+            logger.debug(
+                "Skipping subdirectory hint for %s: outside working_dir %s",
+                path, self.working_dir,
+            )
+            return False
        return True

    def _load_hints_for_directory(self, directory: Path) -> Optional[str]: